Cem Kaner, Ph.D., J.D.	P.O. Box 1200
Law Office of Cem Kaner	Santa Clara, CA 95052
kaner@kaner.com	408-244-7000

Proposed Article 2B: Problems from the Customer's View

Part 1: Underlying Issues

Cem Kaner, J.D., Ph.D.
Santa Clara, California

Article 2B will cover all transactions in Information (a broadly defined term that includes software). It also provides some rules for electronic commerce. My primary interest in Article 2B is that it will define the law of software quality. This statute will define the legal ground rules under which we develop, sell, and support software.

At the July meeting of NCCUSL, the July 1996 draft of Article 2B was criticized for a perceived lack of consumer protection. I think the problem is broader-the draft fundamentally favors licensors (such as software publishers) at the expense of licensees (customers, who may or may not be consumers). Where both entities are large businesses who will negotiate for the terms they want anyway, it doesn't matter. Where the licensee is an individual or a small business, I think there are serious problems.

I believe that this proposed statute, if enacted, would harm the software industry. I believe that it reduces the accountability of licensors to their customers, and therefore blesses a lowering of concern for quality in the American software marketplace. The rest of the world is driving toward higher software standards and tighter control of their software development processes. Over the long term, we risk losing yet another key American industry.

Ray Nimmer, the Reporter of the 2B committee, wrote a new draft of Article 2B on September 4. It makes several changes from the July (and previous) versions, but I think that the main issues are still unresolved, or resolved in favor of licensors.

I hope that this series of memos will clarify the issues and stir up some interest among counsel who represent customers.

• I particularly urge counsel who represent small businesses to consider this statute. The 7-11 owner, the working-at-home-while-unemployed network marketer, the neighborhood church, and the local veterinarian-none of these people seem to be represented at the Article 2B meetings. I thought that they weren't well served by the July 1996 draft (and previous ones). The September 1996 draft goes further, narrowing the definition of "mass market licenses" in ways that will exclude small businesses from the few protections actually provided by the mass-market clauses.
• I also urge counsel who represent small and mid-size software resellers to pay more attention to this statute. If software publishers have little responsibility to stand behind their products, the first people who will bear the anger of unhappy customers will be your clients.

One prefatory note. Even though I write bluntly about the Article 2B draft, I have tremendous respect for the drafting committee, especially and including Ray Nimmer. Nimmer's book, The Law of Computer Technology, is the first book that I turn to when researching almost any computer law question. He is a remarkable author and researcher and a decent and thoughtful person.

In the next memo, I'll provide a long list of specific issues that I think need to be addressed. The rest of this memo uses a few examples to illustrate the point that the Article as a whole is biased against customers.

The Notion of Breach

Article 2B rejects the perfect tender rule and adopts the notion of material vs. substantial performance. An aggrieved party doesn't have the right to cancel a contract unless the breach is material.

Here is the definition of substantial performance in the July and September drafts.

Here is the July draft definition of a material breach:

Look closely at (c), which defines a material breach by enumeration. (Some attorneys will argue that a breach is not material if it is not in the enumerated list.) Now consider the software publisher and the customer of the publisher.

• (c)(1) protects the publisher from breach by the customer.

  (The publisher is allowed to impose a duty of confidentiality in the license agreement, and therefore the customer might have confidential data of the publisher. The publisher has no confidential data of the customer.)

• (c)(2) protects the publisher from breach by the customer.

  The customer is in breach by making more backup copies of the software than are allowed by the license, by violating the publisher's copyright, etc. The publisher has no intellectual property that is owned by the customer.

• (c)(3) protects the publisher from breach by the customer.

  The customer didn't pay the license fee and is in breach.

• (c)(4) -- there is no (c)(4). What paragraph protects the customer from breach by the publisher?

  What about these? Aren't these material too?

  • the product doesn't work at all
  • the advertised benefits have not been delivered
  • the disks are blank (the information was never delivered)
  • the product caused substantial harm to the property or the business of the licensee
  • the licensor supplied a product that lack promised features or capabilities
  • it deprives the customer of the benefit that she reasonably expected
  • the customer spent so much time, effort, or money dealing with this problem that the cost to the customer of the software's failures exceeded the cost of the product.

  If so, why aren't these (or any others) listed? Why, across several drafts of Article 2B, were these not included in the list of material breaches? What does it tell us about the underlying thought processes when, in draft after draft, only breaches by customers are included in a list of "material" breaches?

  The September draft revised this language, as follows:

  (b) A breach is material if the contract so provides.

  In the absence of express contractual terms, if the circumstances language of the contract, expectation of the parties, and character of the breach indicate that the breach caused or may cause substantial harm to the interests of the aggrieved party, that the injured party will be substantially deprived of the benefit it reasonably expected under the contract, or if it meets the conditions of subsection (c) or (d).

  (c) A breach is material if it involves:

  (1) a failure to perform in a manner consistent with express performance standards;

  (2) knowing or negligent disclosure or use of confidential information of an aggrieved party not authorized by the license;

  (3) knowing infringement of an aggrieved party's intellectual property rights not authorized by the license and occurring over more than a brief period; or

  (4) an uncured [substantial] failure to pay a license fee when due which is not justified by a bona fide dispute about whether payment is due.

  This is slightly better. The language "substantially deprived of the benefit" might cover a broader range of cases than "substantial harm to the interests of the aggrieved party".

  But the enumerated list is still quite limited. "Express performance standards" (as Ray Nimmer explained to me at the Minneapolis meeting) means terms that occur specifically in the contract. In the mass-market software case, the licensor generally disclaims all performance standards (no warranties, express or implied, etc.) except for a promise that the disks themselves are non-defective. At this point, there is still nothing in the statute that defines a licensor-side material breach in a mass-market contract.

  The Notion of Conspicuousness

  The current Article 2 requires that some terms in a contract be conspicuous. For example, if you won't promise that your merchandise is fit for its ordinary purposes, you have to say so conspicuously.

  Article 2 case law has consistently held that disclaimers of implied warranties must be conspicuous at the time of, or before the time of, the sale. In software, we see this principle adhered to in Step-Saver Data Systems, Inc. v. Wyse Technology and The Software Link, Inc., 939 F.2d 91 (3^rd Cir., 1991), Arizona Retail Systems, Inc. v. The Software Link, 831 F. Supp. 759, (D. Ariz., 1993) and Tandy Corp. v. McCrimmon 414 S.E.2d (Ga. Ct. App., 1991). There are also non-software cases. Here is Clark & Smith's summary from The Law of Product Warranties (1984; supplemented 1994) p. 8-18:

  The disclaimer may be found in an operator's manual, or in sales literature not sent to the buyer until sometime later, or it may be hidden away in the package that also contains the goods, with no warning on the outside of the package. In all of these cases, it is as though the seller were determined that the buyer should not see the disclaimer until after the fact. Given this seller perversity, it is not surprising that the courts generally nullify such post-contract disclaimers.

  For those of us who lack X-Ray eyes, a disclaimer that is packaged inside of a box is non-visible and therefore inconspicuous at the time of sale.

  Article 2B changes this. In previous drafts of Article 2B, the Reporter's Notes explicitly stated that Article 2B would "overrule" the Step-Saver decision. The replacement is the combination of "manifest assent" (2B-112) and "opportunity to review" (2B-113).

  The shrink-wrap disclaimer of warranties becomes binding on the customer when the customer "manifests assent" to the disclaimer. In the case of a retail purchase, the sequence is as follows:

  1. The customer goes to the store.

  2. The customer looks at various products. None of them provide warranty information on the box.

  3. Despite the Federal Trade Commission Regulation, "Pre-sale availability of written warranty terms" (15 CFR §702.3), most software stores won't open the box to let the customer read the warranty or disclaimer.

  4. The customer buys a program and takes it home or to the office.

  5. The customer opens the box and starts installing the software.

  6. During installation, the program displays the warranty disclaimer. The customer can click "OK" to keep installing the program or can take the program back to the store. Most stores will provide a refund. Some will not refund opened software packages. In these cases, the customer has to call the software publisher (paying toll charges and possibly paying the publisher's standard charge for telephone support), get authorization to return the program, repackage and ship the program, and eventually get a refund.

     If the customer returns the program, go back to step (1).

  7. If the customer clicks "OK" then this post-sale disclaimer of warranties has been expressly agreed to by the customer and it is therefore binding on the customer.

  One of the core tenets of consumer protection is the notion of informed choice. Critical information about a product is made available to the consumer before the sale so the consumer is in a position to understand the relative benefits from competing products. The conspicuousness clause makes sure that the customer (not just a consumer in Article 2 -- any customer) becomes aware of particularly oppressive terms (such as a seller's refusal to guarantee that its product is fit for its normal purposes) before the sale.

  It seems to me that the requirement of "conspicuousness" has become largely meaningless under this scheme. The customer doesn't learn of the must-be-conspicuous term until after the purchase decision has been made and the customer is trying to use the product. At this point, the customer will probably not ask for a refund. We have replaced an information-transmission requirement with a formality.

  Based on my discussions with individual Committee members and based on the discussions at the drafting Committee meetings, I am convinced that a majority of the Committee:

  1. don't think that there is a public policy that new software be reasonably fit for its intended purpose, in the same way that there is a public policy that new goods should be reasonably fit for their intended purpose;
  2. don't think that dropping pre-sale conspicuousness drops any real consumer protection;
  3. think that "manifest assent" actually adds significant consumer protection.

  The Fiction that Manifest Assent Indicates Genuine Assent

  Here is the definition of manifest assent. It rests partially on an "opportunity to review" which is satisfied if you can return the software for a refund after seeing the license.

  Section 2B-112. Manifesting Assent

  (a) A party or an electronic agent manifests assent to a record or, if assent to a particular term in addition to assent to a record is required, to the term if, after having an opportunity to review the record or term under Section 2B-113, it:

  (1) [signs] [authenticates], or engages in other affirmative conduct that the record conspicuously provides or the circumstances clearly indicate will constitute acceptance; and

  (2) had an opportunity to decline to [sign] [authenticate] or engage in the conduct after having an opportunity to review.

  (b) The mere retention of the information or the record without objection is not a manifestation of assent.

  (c) A party's conduct does not manifest assent unless the record was called to the party's attention before the party acts.

  (d) If assent to a particular term in addition to assent to a record is required, a party's or an electronic agent's conduct does not manifest assent to the term unless there was an opportunity to review the term and the conduct manifesting assent relates specifically to the term.

  In the section on conspicuousness, above, I traced the steps involved in obtaining manifest assent. The installation program displays a term and, to complete installation of the already-paid-for-and-delivered software, the customer clicks "OK".

  What about the customer who brings the software back to the office, gives it to her secretary, and says "Use this new program." The secretary installs the program on his computer, clicking on "OK" as required. Does the "OK" of the secretary bind the employer? I assume so. (If not, I have some good advice for software customers . . . .)

  Now, here is what a publisher can do with manifest assent.

  Section 2B-308. Mass-Market Licences

  (a) Except as otherwise provided in subsection (b) and Section 2B-309, a party adopts the terms of a mass-market license if, before or within a reasonable time after beginning to use the information pursuant to an agreement or commencing performance, the party manifests assent to the license.

  (b) Terms adopted under subsection (a) include all of the terms of the license without regard to the knowledge or understanding of individual terms by the party assenting to the form. However, except as otherwise provided in subsection (c), a term does not become part of the contract if the term creates an obligation or imposes a limitation on the party who did not prepare the form:

  (1) that [is not consistent with customary industry practices at the time of the contract and which] a reasonable [person in the position of the party proposing the form should know would cause an ordinary and reasonable person in the position of the party receiving the form] to refuse the license if the term were brought to the attention of that party; or

  (2) that conflicts with the previously negotiated terms of agreement of the parties relating to the transaction.

  (c) A term excluded under subsection (b) becomes part of the contract if the party who did not prepare the form manifests assent to the term.

  (d) A term of a standard form that is unenforceable under other provisions of this [article], such as a provision that expressly requires use of conspicuous language or assent to the term, does not become part of the contract unless those other provisions are satisfied.

  (e) The terms of a mass market license are to be interpreted whenever reasonable as treating all similarly situated parties in a similar fashion without regard to their knowledge or understanding of the terms of the record.

  (f) A party proposing the license has the burden of proving customary industry practices under subsection (b)(1).

  Section 2B-309. Conflicting Terms.

  (a) If the parties exchange records that purport to contain the terms of an agreement and the records contain varying terms, the varying terms do not become part of the contract unless the party claiming inclusion establishes that:

  (1) the other party manifested assent to the term;

  So a term in a mass-market license (which the customer sees after paying for and taking delivery and opening the software), can include:

  • any term that is consistent with current industry practices (whether those have been historically enforceable or not), subject to the restriction that if a reasonable licensor would know that a reasonable customer would reject the agreement then it is not part of the contract unless this particular customer manifests assent to it.

    American customers are reluctant to return defective merchandise. Only a small fraction, often estimated as 5%, of the people who buy defective merchandise will take it back to the store or otherwise complain. According to Softletter (March 29, 1995, p. 2), the percentage of customers returning new software in direct sales channels has dropped to about 2%. (However, Jim Cox of the Software Support Professionals Association cites survey data that software customers are at a 10-year low in satisfaction with customer service. Maybe more people should reject these licenses?)

    Therefore, it would take a truly remarkable term indeed that would make a publisher or reseller reasonably predict that the typical licensee would cancel the transaction just because of that particular term.

  • any term that is not consistent with current industry practice, so long as this particular customer manifests assent to the term.

  • any term that conflicts with a previously negotiated term, so long as the customer manifests assent to the standard term.

    Surely, if we believe in "freedom of contract" (an often-used phrase in the meetings), we would want specifically negotiated terms to have priority over standard terms that appear only on the seller's form.

    The notion of "manifest assent" allows the publisher to pretend that the customer is actually agreeing to a retraction of the specifically negotiated term in favor of the standard term that she thought she had negotiated her way out of.
    

  The notion of manifest assent is remarkably powerful. Here are some of the things (this is a non-exhaustive list) that you can put into the license agreement and make enforceable against the customer even if he never saw them or suspected them before paying for the software, accepting delivery of the software, opening the software, and starting to use it:

  • disclaimer of all implied warranties
  • disclaim licensor liability for viruses, even for a virus that the licensor knows is on the disk
  • limitation of licensor-provided remedies to replacement of the disk
  • unlimited licensee-provided remedies: licensee accountable to the licensor for consequential damages even though the licensor has excluded consequential damages to the licensee
  • prohibition against reverse engineering
  • prohibition against decompiling of the software
  • prohibition against developing products that are inter-operable with this one
  • prohibition against making backup copies
  • prohibition against lending or reselling the software
  • choice of law to the seller's state, which (in the September draft) might not even be in the United States
  • choice of forum to the seller's state (even for $30 consumer software, a Massachusetts customer might have to file suit in California)
  • arbitration of all disputes
  • the customer must pay fee-based support from the first minute of the customer's possession of the product, even for actual bugs in the product (One product recently advertised for sale to attorneys came with a support policy of $2 per minute for all calls about the product.)
  • restrictions on the location of use of the product, such as not being able to load or run a single copy on a machine that is used as a network server
  • restrictions on the nature or purposes of use of the product
  • restrictions on who can use the product
  • restrictions on the duration of use of the product
  • inclusion of disabling code that will shut down the software if it is used too many times or for too long
  • reduced statute of limitations, without tolling the statute while the parties try to fix the problems

  One Last Point About Manifest Assent.

  This is a powerful tool. Note that it can be used by the licensor against the licensee (click OK to agree to these terms during installation). The licensee has no comparable opportunity to slip his terms by the licensor. There is no mechanism, for example, for the licensee to exclude consequential or incidental damages.

  This powerful tool works only one way--it gives the licensor the ability to claim that the licensee actually agreed to its standard contract terms, but it never gives the licensee the opportunity to claim that the licensor agreed.

  The old Article 2 had some difficult rules to cover the battle of the forms. The new 2B has a much simpler rule. The licensor always wins.

  Liability for Viruses

  One of the ways that a software publisher can trash your data is by including (oops) a virus with the software that it sells you. Normally, I would think that shipping a software product that trashes your hard disk would be a material breach of contract. It might be a tort too, but the court in Rockport Pharmacy, Inc. v. Digital Simplistics, Inc., 53 F.3d 195 (8^th Cir., 1995) made the licensees look to their contract for recovery in a case involving destruction of data. Here's the draft's language for dealing with viruses:

  Section 2B-319. Electronic Viruses

  (a) Except as provided in Section 2B-320, 2B-321, or 2B-712, each party undertakes that its performance or electronic messages will not introduce extraneous programs, code, or viruses that may be reasonably expected to damage or interfere with the use of data, software, systems, or operations of the other party and are not disclosed to the other party.

  (b) A party is not liable under subsection (a) if:

  (1) The circumstances or terms of the contract give the other party reason to know that action was not taken to ensure exclusion of the programs, code, or viruses or that a clear risk exists that they have not been excluded.

  (2) The party exercised reasonable care to exclude the programs, extraneous code or viruses.

  (c) If the performance is a transfer of rights, the obligation under subsection (a) relates to the time when the transfer of rights is completed. In all other cases, the obligation relates to the time that the message or performance is received.

  (d) Language in a record or display is sufficient under subsection (b)(1) if it states "Warning: May contain viruses or potentially damaging code," or words of similar import. In a [mass market] [consumer] license, the disclosure in subsection (a) or the language negating the obligation under subsection (b)(1) must be conspicuous.

  (e) In determining whether reasonable care was exercised under subsection (b)(2), a court shall consider the nature of the party, the type and value of the transaction, and the general standards of practice revailing among persons of similar type for similar transactions at the time of the performance or the transmission of the message.

  For software publishers, virus control is not rocket science.

  • You buy several different virus detection programs.

  • (Some viruses are written specifically to exploit holes in specific detector programs.) (And different detectors have different techniques for detecting viruses that hadn't been invented when the detector was published.)

  • You keep your virus detectors up to date. (An article in the National Computer Security Association's Guide to PC and Lan Security (Stephen Cobb, 1996) recent book on network security claimed that 10 shrinkwrap products were released with the Michaelangelo virus simply because the software publishers hadn't updated their virus checkers. Having managed software quality control groups and interacted widely with other software quality managers, this claim is entirely believable to me.)

  • You use brand new disks to make your masters

  • You methodically follow a checklist for verifying that the disks went to your disk duplicator virus-free and they came back virus-free.

  I don't know anyone, or know of anyone, in the industry who followed these steps and released a product with a virus. I can imagine that it might happen, but in the cases that I've heard about second hand (over a few hundred product releases, no one associated with me has ever let through a virus), the software release staff took some shortcuts and got burned. Rather, their customers got burned.

  Viruses are a potential huge problem. Presumably, we would like to encourage software companies to exercise care to prevent the release of products with them. It's relatively inexpensive to a publisher to buy five virus checkers and their update contracts (total cost is maybe $500). But for an individual customer, this is a big investment. It also wastes a huge amount of customer time to thoroughly test software for viruses, when the software publisher could do it once, saving everyone downstream from the bother of it.

  The Article 2 approach is not quite this way, however . Instead Under 2B-319(b)(1) the publisher can simply include a disclaimer in the license agreement. (It has to be conspicuous, but it can be conspicuous" post-payment and post-delivery so long as you get "manifest assent").

  Or the publisher escapes liability if it exercised reasonable care. Non-negligent conduct becomes a shield for the publisher. How often in this Article does negligent conduct become available as a sword for the licensee? I think the number is zero. I don't object to the inclusion of some fault-related and negligence-related language in the UCC. I just want it to sometimes operate in the customer's interest. Another negligence example is in 2B-701. The measure of consequential damages is to be reduced by "that part of a loss that could have been avoided by taking measures reasonable under the circumstances to avoid or reduce loss resulting from breach, including the maintenance before breach of reasonable systems for backup or retrieval of lost information."

  Again, the customer loses the ability to recover if she is negligent. When does the publisher lose if it is negligent?

  Remedies

  My final note regards remedies. The mass market customer will often have no remedies.

  Revised Article 2 proposes that the aggrieved party should always be entitled to a "minimum adequate remedy." There is no hint of that in the draft of Article 2B.

  Article 2B allows the publisher to fully exclude incidental and consequential damages. (In the July draft, consequential damages were automatically excluded, by default.) If the other remedies fail of their essential purpose, these exclusions still apply. If the customer ends up with no remedy, well, the customer should have negotiated a better contract.

  Software publishers are charging for support these days. If you pay by the call, or by the incident, you might pay as much as $190 (that's the largest number I've heard) for an "incident." Some publishers start charging from the day you open your package. They provide no free support period. Some charge even if you are calling to report a bug.

  You can spend more on the cost of calling the software publisher about a bug or two than you spent on the program. These are incidental expenses. You don't get them back (because the mass-market license will always exclude them.)

  If it costs you more to get authorization to return a product than you will gain back from the refund, what remedy do you have against defective products?

  In July, Consumers Union asked for a minimum assured remedy of repair or full refund. This is a nice start, but the customer's costs of defective products sometimes go well beyond the refund, and the transaction costs of reporting a bug (long hold times-sometimes 1.5 hours-on toll-costing long distance lines; pay-by-the-call support; cost of shipping the product back; etc.) can themselves go beyond the price of the program. Under these circumstances, the refund that the customer will finally get if he is willing to spend the money and jump through the hoops, is just an illusion. There is no remedy.

  Competent software test organizations find most of the bugs that their products ship with. Most bugs that customers call about were found and deferred (publisher decided not to fix them) before the product was released. There are surprises, but if you keep manufacturing the product after 100 customers have called to complain about a bug, you (publisher) can no longer claim "surprise" about the bug in any newly made copies of the product, can you?

  If the publisher knows that a bug will damage some customers' data or that it will fail under other predictable circumstances, but doesn't warn customers about these circumstances, and if a customer loses money because of this known bug, what public policy does it serve to say to the customer: "no matter how much you lost, you get no more than a refund (or maybe just a partial refund"?

  What public policy does it serve to say to the publisher: "No matter how much you knew and no matter how much fully predictable damage you did to your customer, the worst you'll ever have to pay back is a refund."?

  The core problem with Article 2B is that it provides such minimal remedies to aggrieved customers.

  In later memos, I'll point out the range of remedies that Article 2B provides to aggrieved publishers. They are not insignificant. As in the rest of the Article, the balance favors the licensor.
  

  Cem Kaner attends Article 2B meetings as an observer. He consults on technical and management issues, practices law, and teaches within the software development community. His book, Testing Computer Software, received the Award of Excellence in the Society for Technical Communication's 1993 Northern California Technical Publications Competition. He has managed every aspect of software development, including software development projects, software testing groups and user documentation groups. He has also worked as a programmer, a human factors analyst / UI designer, a salesperson, a technical writer, an associate in an organization development consulting firm, and as an attorney (typically representing customers and software development service providers). He has also served pro bono as a Deputy District Attorney, as an investigator/mediator for Santa Clara County's Consumer Affairs Department, as an Examiner for the California Quality Awards. He holds a B.A. (Math, Philosophy, 1974), a J.D. (1993), and a Ph.D. (Experimental Psychology, 1984) and is Certified in Quality Engineering by the American Society for Quality Control. He teaches at UC Berkeley Extension, and by private arrangement, on software testing and on the law of software quality.